We added 2 config options which will log more information about certificate verification failures.
$ cat /etc/pulp/repo_auth.conf
[main]
enabled: false
log_failed_cert: true
log_failed_cert_verbose: false
If a certificate fails verification we will log summary info about each Certificate/CA/CRL, additionally you may enable 'log_failed_cert_verbose' and it will output the full decoded text of the Certificate to verify as well.
https://fedorahosted.org/pulp/wiki/Certificates/Debugging

This is a really important addition. It's frustrating to get an
unauthorized but have no idea why, so having some visibility into why
someone was refused instead of having to manually piece through the
certificate and CAs is going to go a long way. Nicely done.